Add cache layer (#156)

* Add session layer

* Fix up redirect issues on ext based content

* Fix up migration status

* Add cache deleting.

* Rearrange panel

* Docs.

* Docs

Author: dereuromark

README.md

@@ -17,7 +17,7 @@ This branch is for **CakePHP 5.0+**. For details see [version map](https://githu
 ### Authentication
 What are public actions, which ones need login?
 
-- Powerful wildcard (*) operator.
+- Powerful default configs to get you started right away.
 - [Quick Setup](https://github.com/dereuromark/cakephp-tinyauth/blob/master/docs/Authentication.md#quick-setups) for 5 minute integration.
 
 ### Authorization
@@ -30,7 +30,7 @@ Once you are logged in, what actions can you see with your role(s)?
 ### Useful helpers
 - AuthUser Component and Helper for stateful and stateless "auth data" access.
 - Authentication Component and Helper for `isPublic()` check on current other other actions.
-- Auth DebugKit panel for detailed insights into current URL and auth status.
+- Auth DebugKit panel for detailed insights into current URL and auth status, identity content and more.
 
 ## What's the idea?
 Default CakePHP authentication and authorization depends on code changes in at least each controller, maybe more classes.
@@ -39,10 +39,11 @@ This plugin hooks in with a single line of change and manages all that using con
 It is also possible to manage the config files without the need to code.
 And it can with adapters also be moved completely to the DB and managed by CRUD backend.
 
-Ask yourself: Do you need the overhead and complexity involved with the full blown (RBAC DB) ACL? See also my post [acl-access-control-lists-revised/](https://www.dereuromark.de/2015/01/06/acl-access-control-lists-revised/).
+Ask yourself: Do you need the overhead and complexity involved with a full blown (RBAC DB) ACL or very specific Policy approaches? 
+See also my post [acl-access-control-lists-revised/](https://www.dereuromark.de/2015/01/06/acl-access-control-lists-revised/).
 If not, then this plugin could very well be your answer and a super quick solution to your auth problem :)
 
-But even if you don't leverage the authentication or authorization, the available AuthUserComponent and AuthUserHelper
+But even if you don't leverage the full authentication or authorization potential, the available AuthUserComponent and AuthUserHelper
 can be very useful when dealing with role based decisions in your controller or view level. They also work stand-alone.
 
 

docs/AuthenticationPlugin.md

@@ -133,6 +133,25 @@ $this->AuthUser->identity();
 ```
 
 
-For all the rest follow the plugin's documentation.
+### Caching
+Especially when you use the PrimaryKeySession authenticator and always pulling the live data
+from DB, you might want to consider adding a short-lived cache in between.
+The authenticator supports this directly:
+
+In this case you need to manually invalidate the session cache every time a user modifies some of their
+data that is part of the session (e.g. username, email, roles, birthday, ...).
+For that you can use the following after the change was successful:
+```php
+use TinyAuth\Utility\SessionCache;
+
+SessionCache::delete($userId);
+```
+This will force the session to be pulled (the ID), and the cache refilled with up-to-date data.
+
+
+---
+
+
+For all the rest, follow the plugin's documentation.
 
 Then you use the [Authentication documentation](Authentication.md) to fill your INI config file.

docs/AuthorizationPlugin.md

@@ -63,21 +63,31 @@ Then you use the [Authorization documentation](Authorization.md) to set up roles
 
 #### Tips
 
-It is recommended to use a POST check for the login flash message, and silently redirect away otherwise.
+You can add loginUpdate() method to your UsersTable to update the user's data here accordingly:
 
+```php
+    /**
+     * @param \Authentication\Authenticator\ResultInterface $result
+     *
+     * @return void
+     */
+    public function loginUpdate(ResultInterface $result): void
+    {
+        /** @var \App\Model\Entity\User $user */
+        $user = $result->getData();
+        $this->updateAll(['last_login' => new DateTime()], ['id' => $user->id]);
+    }
+```
+Then hook it in:
 ```php
 // Inside your AccountController::login() method
     $result = $this->Authentication->getResult();
     // If the user is logged in send them away.
     if ($result && $result->isValid()) {
-        if ($this->request->is('post')) {
-            $this->Users->loginUpdate($result);
-            $target = $this->Authentication->getLoginRedirect() ?? '/';
-            $this->Flash->success(__('You are now logged in.'));
-
-            return $this->redirect($target);
-        }
+        $this->Users->loginUpdate($result);
+        $target = $this->Authentication->getLoginRedirect() ?? '/';
+        $this->Flash->success(__('You are now logged in.'));
 
-        return $this->redirect(['controller' => 'Account', 'action' => 'index']);
+        return $this->redirect($target);
     }
 ```

src/Auth/AclTrait.php

@@ -104,7 +104,7 @@ protected function _checkUser(ArrayAccess|array $user, array $params): bool {
 				$superAdminColumn = $this->getConfig('idColumn');
 			}
 			if (!isset($user[$superAdminColumn])) {
-				throw new CakeException('Missing super Admin Column in user table');
+				throw new CakeException('Missing super admin column `' . $superAdminColumn . '` in user table');
 			}
 			if ($user[$superAdminColumn] === $this->getConfig('superAdmin')) {
 				return true;

src/Authenticator/PrimaryKeySessionAuthenticator.php

@@ -11,6 +11,7 @@
 use Cake\Http\Exception\UnauthorizedException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TinyAuth\Utility\SessionCache;
 
 /**
  * Session Authenticator with only ID
@@ -25,6 +26,7 @@ public function __construct(IdentifierInterface $identifier, array $config = [])
 		$config += [
 			'identifierKey' => 'key',
 			'idField' => 'id',
+			'cache' => false, // `true` to activate caching layer
 		];
 
 		parent::__construct($identifier, $config);
@@ -46,11 +48,29 @@ public function authenticate(ServerRequestInterface $request): ResultInterface {
 			return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
 		}
 
+		if (!is_scalar($userId)) {
+			// Maybe during migration? Let's remove this old one then
+			$session->delete($sessionKey);
+
+			return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
+		}
+
+		if ($this->getConfig('cache')) {
+			$user = SessionCache::read((string)$userId);
+			if ($user) {
+				return new Result($user, Result::SUCCESS);
+			}
+		}
+
 		$user = $this->_identifier->identify([$this->getConfig('identifierKey') => $userId]);
 		if (!$user) {
 			return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
 		}
 
+		if ($this->getConfig('cache')) {
+			SessionCache::write((string)$userId, $user);
+		}
+
 		return new Result($user, Result::SUCCESS);
 	}
 
@@ -73,6 +93,21 @@ public function persistIdentity(ServerRequestInterface $request, ResponseInterfa
 		];
 	}
 
+	/**
+	 * @inheritDoc
+	 */
+	public function clearIdentity(ServerRequestInterface $request, ResponseInterface $response): array {
+		if ($this->getConfig('cache')) {
+			$sessionKey = $this->getConfig('sessionKey');
+			/** @var \Cake\Http\Session $session */
+			$session = $request->getAttribute('session');
+			$userId = $session->read($sessionKey);
+			SessionCache::drop($userId);
+		}
+
+		return parent::clearIdentity($request, $response);
+	}
+
 	/**
 	 * Impersonates a user
 	 *

src/Middleware/UnauthorizedHandler/ForbiddenCakeRedirectHandler.php

@@ -45,6 +45,11 @@ class ForbiddenCakeRedirectHandler extends CakeRedirectHandler {
 	 * @return \Psr\Http\Message\ResponseInterface
 	 */
 	public function handle(Exception $exception, ServerRequestInterface $request, array $options = []): ResponseInterface {
+		$params = (array)$request->getAttribute('params');
+		if (!empty($params['_ext']) && $params['_ext'] !== 'html') {
+			throw $exception;
+		}
+
 		$response = parent::handle($exception, $request, $options);
 
 		$message = $options['unauthorizedMessage'] ?? __('You are not authorized to access that location.');

src/Middleware/UnauthorizedHandler/ForbiddenRedirectHandler.php

@@ -42,6 +42,11 @@ class ForbiddenRedirectHandler extends RedirectHandler {
 	 * @return \Psr\Http\Message\ResponseInterface
 	 */
 	public function handle(Exception $exception, ServerRequestInterface $request, array $options = []): ResponseInterface {
+		$params = (array)$request->getAttribute('params');
+		if (!empty($params['_ext']) && $params['_ext'] !== 'html') {
+			throw $exception;
+		}
+
 		$response = parent::handle($exception, $request, $options);
 
 		$message = $options['unauthorizedMessage'] ?? __('You are not authorized to access that location.');

src/Panel/AuthPanel.php

@@ -104,6 +104,13 @@ public function shutdown(EventInterface $event): void {
 		$data['config'] = $authUserComponent->getConfig();
 		$data['access'] = $access;
 
+		$data['identity'] = $request->getAttribute('identity');
+
+		/** @var \Authentication\AuthenticationService|null $auth */
+		$auth = $request->getAttribute('authentication');
+		$data['authenticationProvider'] = $auth ? $auth->getAuthenticationProvider() : null;
+		$data['identificationProvider'] = $auth ? $auth->getIdentificationProvider() : null;
+
 		$this->_data = $data;
 	}
 
@@ -173,7 +180,7 @@ protected function _injectRole(array $user, $role, $id) {
 	 *
 	 * @return array
 	 */
-	protected function _generateUser($role, $id) {
+	protected function _generateUser($role, $id): array {
 		$user = [
 			'id' => 0,
 		];

src/Utility/SessionCache.php

@@ -0,0 +1,109 @@
+<?php
+
+namespace TinyAuth\Utility;
+
+use ArrayAccess;
+use Cake\Cache\Cache;
+use Cake\Core\Configure;
+use Cake\Core\Exception\CakeException;
+use Cake\Core\StaticConfigTrait;
+
+/**
+ * TinyAuth cache wrapper around session cache engine(s).
+ */
+class SessionCache {
+
+	use StaticConfigTrait;
+
+	protected static array $_defaultConfig = [
+		'cache' => 'default',
+		'prefix' => 'auth_user_',
+	];
+
+	/**
+	 * Clears all session user info based on prefix
+	 *
+	 * @return void
+	 */
+	public static function clear(): void {
+		$config = static::prepareConfig();
+		static::assertValidCacheSetup($config);
+
+		if (!empty($config['groups'])) {
+			foreach ((array)$config['groups'] as $group) {
+				Cache::clearGroup($group, $config['cache']);
+			}
+
+			return;
+		}
+
+		Cache::clear($config['cache']);
+	}
+
+	/**
+	 * @param string|int $userId
+	 * @param \ArrayAccess|array $data
+	 *
+	 * @return void
+	 */
+	public static function write(int|string $userId, ArrayAccess|array $data): void {
+		$config = static::prepareConfig();
+
+		Cache::write(static::key($userId), $data, $config['cache']);
+	}
+
+	/**
+	 * @param string|int $userId
+	 *
+	 * @return \ArrayAccess|array|null
+	 */
+	public static function read(int|string $userId): ArrayAccess|array|null {
+		$config = static::prepareConfig();
+
+		return Cache::read(static::key($userId), $config['cache']) ?: null;
+	}
+
+	/**
+	 * @param string|int $userId
+	 *
+	 * @return bool
+	 */
+	public static function delete(int|string $userId): bool {
+		$config = static::prepareConfig();
+
+		return Cache::delete(static::key($userId), $config['cache']);
+	}
+
+	/**
+	 * @param string|int $userId
+	 * @return string
+	 */
+	public static function key(int|string $userId): string {
+		$config = static::prepareConfig();
+
+		static::assertValidCacheSetup($config);
+
+		return $config['prefix'] . $userId;
+	}
+
+	/**
+	 * @param array<string, mixed> $config
+	 * @throws \Cake\Core\Exception\CakeException
+	 * @return void
+	 */
+	protected static function assertValidCacheSetup(array $config): void {
+		if (!in_array($config['cache'], Cache::configured(), true)) {
+			throw new CakeException(sprintf('Invalid or not configured TinyAuth cache `%s`', $config['cache']));
+		}
+	}
+
+	/**
+	 * @return array<string, mixed>
+	 */
+	protected static function prepareConfig(): array {
+		$defaultConfig = static::$_defaultConfig;
+
+		return (array)Configure::read('TinyAuth') + $defaultConfig;
+	}
+
+}